Never Miss Reporting Data With Sophos UTM's Remote Log Archive

Many log file analysis applications, including Fastvue Sophos Reporter, consume Syslog messages from the device being monitored. This is great for seeing a live view of network traffic, but if the server goes offline temporarily (such as when you perform a reboot after patching), the syslog messages sent during that time are lost, leaving gaps in your reporting data.

Fortunately, Fastvue Sophos Reporter takes precautions to ensure the integrity and accuracy of reporting data is maintained even when it is not available to receive syslog messages. It does this by utilizing Sophos UTM's Remote Log Archive feature to fill in the blanks if the syslog stream is interrupted.

About Sophos UTM's Remote Log Archive

In addition to Syslog, Sophos UTM also has the option of saving its logs to a Remote Log File Archive server on a daily basis. At midnight each night, Sophos UTM will copy the previous day's log files to the remote log archive share.

Fastvue Sophos Reporter can be configured to import the historic data from this location in addition to consuming the live syslog messages. Not only does this give you access to historical data to investigate previous incidents, but it also gives you a fault tolerant, dual import strategy to fill in any gaps in the syslog data.

Setup

Enabling this great functionality can be done in three easy steps.

Step 1 - Configure A Shared Folder For the Logs

Using a Windows shared folder is the simplest way of configuring this. A Windows file share can also be referred to as a SMB or CIFS share. This does not have to be on the Fastvue Sophos Reporter server itself, but the Fastvue Sophos Reporter service will need read access to the share (local System account by default).

To create a shared folder:

1. Create a new folder on a drive with a good amount of disk space to hold your historical logs.
2. Right-click and select Share with | Specific People...
3. Specify the username you will use to copy files from the Sophos UTM to this file share (a dedicated service account is recommended)
4. Click Add and make sure Read/ Write is enabled, then click the Share Button

Step 2 - Enable Remote Log File Archive on the Sophos UTM

This setting will instruct the Sophos UTM device to pack all the logs for the day into a compressed file and copy it to the file share.  I am going to work under the assumption that you already have a host specified. As shown here https://vimeo.com/78974684.

1. Log in to the Sophos UTM management interface and select Logging and Reporting | Remote Log File Archives
2. For the type of remote archive select SMB (CIFS) share
3. Specify the host. Generally the Fastvue Sophos Reporter host would already exist after enabling the syslog feature, but as mentioned above, the remote log archive does not have to be on the Sophos Reporter machine.
4. Specify the username (just the username - no domain, prefix or suffix) and password of the account that you granted read/write access to the file share.
5. Specify the Share name (just the share name - do not specify a UNC path)
6. Specify the Domain’s main domain name, not the FQDN
7. Click Apply

In the screenshot above, you can see the Fastvue Sophos Reporter server “labs2” has a share on it called “Export”. The domain name is LABS and the user account I am using is "vantage".

Step 3 - Configure Sophos Reporter to Import Historic Logs

I am going to work under the assumption that you already have a syslog Source specified in Settings | Sources. If not, click Add Source to add your Sophos UTM as a source. We will edit that source to simply add the historic log location.

1. Click the Gear Icon to open the options for the existing Source.
2. Check the Import Historical Logs? checkbox.
3. Specify the path (local or UNC) and click Test to confirm everything is working
4. Click Save source

That’s all there is to it!

At midnight each night, Sophos UTM will copy the previous day's log files to the remote log archive share. Fastvue Sophos Reporter will detect these new files and import any data that has not already been imported from the previous day's syslog stream.

Conclusion

Configuring the Sophos UTMs remote log archive and Fastvue's historic data import features are a great way to ensure you never miss potentially important reporting data. With very little configuration Fastvue Sophos Reporter will take care of everything and provide reports that are accurate and easy to use, even if the syslog process is disrupted.

If you have issues configuring Sophos UTM's Remote Log Archive feature, see my other article on Troubleshooting Sophos UTM's Remote Log Archive.